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A workflow specification defines a set of steps and the order in which those steps must be executed. Security 
requirements may impose constraints on which groups of users are permitted to perform subsets of those 
steps. A workflow specification is said to be satisfiable if there exists an assignment of users to workflow 
steps that satisfies all the constraints. An algorithm for determining whether such an assignment exists 
is important, both as a static analysis tool for workflow specifications, and for the construction of run-time 
reference monitors for workflow management systems. Finding such an assignment is a hard problem in 
general, but work by Wang and Li in 2010 using the theory of parameterized complexity suggests that 
efficient algorithms exist under reasonable assumptions about workflow specifications. In this paper, we 
improve the complexity bounds for the workflow satisfiability problem. We also generalize and extend the 
types of constraints that may be defined in a workflow specification and prove that the satisfiability problem 
remains fixed-parameter tractable for such constraints. Finally, we consider preprocessing for the problem 
and prove that in an important special case, in polynomial time, we can reduce the given input into an 
equivalent one, where the number of users is at most the number of steps. We also show that no such 
reduction exists for two natural extensions of this case, which bounds the number of users by a polynomial 
in the number of steps, provided a widely-accepted complexity-theoretical assumption holds. 
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1. INTRODUCTION 

It is increasingly common for organizations to computerize their business and manage- 
ment processes. The co-ordination of the tasks or steps that comprise a computerized 
business process is managed by a workflow management system (or business process 
management system). Typically, the execution of these steps will be triggered by a 
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human user, or a software agent acting under the control of a human user, and the 
execution of each step will be restricted to some set of authorized users. 

A workflow typically specifies the steps that comprise a business process and the 
order in which those steps should be performed. Moreover, it is often the case that 
some form of access control, often role-based, should be applied to limit the execu- 
tion of steps to authorized users. In addition, many workflows require controls on 
the users that perform groups of steps. The concept of a Chinese wall, for exam - 
ple, limits the set of steps that any one user can perform MBrewer and Nash~l 989l, 
as does sep aration-of-duty, which is a central part of the role-based access con- 
trol model [American National Standards Institute 2004]. Hence, it is important that 
workflow management systems implement security controls that enforce authorization 
rules and business rul es, in order to comply with statutory requirements or best prac- 
tice HBasin et al. 201l| . It is these "security-aware" workflows that will be the focus of 
the remainder of this paper. 

A simple, illustrative example for purchase order processing [ Crampton 2005 1 is 



shown in Figure Q] In the first step of the workflow, the purchase order is created 
and approved (and then dispatched to the supplier). The supplier will submit an in- 
voice for the goods ordered, which is processed by the create payment step. When the 
supplier delivers the goods, a goods received note (GRN) must be signed and counter- 
signed. Only then may the payment be approved and sent to the supplier. Note that a 
workflow specification need not be linear: the processing of the GRN and of the invoice 
can occur in parallel, for example. 

In addition to defining the order in which steps must be performed, the workflow 
specification includes rules to prevent fraudulent use of the purchase order processing 
system. In our example, these rules take the form of constraints on users that can 
perform pairs of steps in the workflow: the same user may not sign and countersign 
the GRN, for example. (We introduce more complex rules in Sections [2] and 0) 




(a) Ordering on steps (b) Constraints 
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(c) Legend 

Fig. 1 . A simple constrained workflow for purchase order processing 



It is apparent that it may be impossible to find an assignment of authorized users 
to workflow steps such that all constraints are satisfied. In this case, we say that 
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the workflow specification is unsatisfiable. The WORKFLOW SATISFIABILITY PROB- 
LEM (WSP) is known to be NP-hard, even when the set of constraints only includes 
constraints that have a relatively simple structure (and that would arise regularly in 
practice)^ 

It has been argued that it would be of practical value to be able to define con- 
straints in ter ms of organization al structures, rather than just the identity of par- 
ticular users [Wang and Li 2010]. One of the contributions of this paper is to in- 
troduce a model for hierarchical organizations based on the notion of equivalence 
classes and partition refinements. We demonstrate how to construct an instance 
of our model from a management structure and illustrate why constraints defined 
over such models are of practical value. The use of cardinality constraints in ac- 
cess c ontrol policies has also attracted con s iderable interest in the academic commu- 
nity IJos hi et al. 20051 ISandhu et al. 19961 ISimon and Zurko 199711 . Cardinality con- 
straints can encode a number of useful requirements that cannot be encoded using 
the constraints that have been used in prior work on WSP. A second contribution of 
this paper is to introduce counting constraints for workflows — a natural extension of 
cardinality constraints — and to examine WSP when such constraints form part of a 
w orkflow specification . 



Wa ng and Li [2010] observed that the number of steps in a workflow is likely to be 
small relative to the size of the input to the workflow satisfiability problem. This ob- 
servation led them to study the problem using tools from parameterized complexity 
and to prove that the problem is fixed-parameter tractable for certain classes of con- 
straints. These results demonstrate that it is feasible to solve WSP for many workflow 
specifications in practice. However, Wang and Li also showed that for many types of 
constraints the problem is fixed-parameter intractable unless the parameterized com- 
plexity hypotheses FPT ^ W[l] fails, which is highly unlikely. (We provide a short 
introduction to parameterized complexity in Section [3TT1 ) In this paper, we extend the 
results of Wang and Li in several different ways. 

1. First, we introduce the notion of counting constraints, a generalization of cardinal- 
ity constraints, and extend the analysis of WSP to include such constraints. 

2. Our second contribution is to introduce a new approach to WSP, which 
makes use of a powerful, r ecent result in the area of exponential-time algo- 
rithms [Bjorklund et al. 20091. We establish necessary and sufficient conditions on 
constraints that will admit the use of our approach. In particular, we show that 
counting constraints satisfy these conditions, as do the constraints considered by 
Wang and Li. This approach allows us to develop algorithms with a significantly 
better worst-case performance than those of Wang and Li. Moreover, we demon- 
strate that our result cannot be significantly improved, provided a well-known hy- 
pothesis about the complexity of solving 3-SAT holds. 

3. Our third extension to the work of Wang and Li is to define constraints in terms 
of hierarchical organizational structures and to prove, using our new technique, 
that WSP remains fixed-parameter tractable in the presence of such hierarchical 
structures and hierarchy-related constraints. 

4. Our fourth contribution is to instigate the systematic study of parameterized com- 
pr ession (also known as kernelization) of WSP instanceso We show that a result 
of IFellows et al. [2011[ Theorem 3.3] on a problem equivalent to a special case of 



1 In particular, the GRAPH fc-COLORABILITY problem can be reduced to a speci al case o f WSP in which the 

workflow specification only includes separation-of-duty constraints I Wang and Li 2010|. 

2 Kernelization of WSP instances can be extremely useful in speeding up the solution of WSP: the compressed 

instance can be solved using any suitable algorithm (such as a SAT solver), not necessarily by an FPT 

algorithm. 
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WSP can be slightly extended and significantly improved using graph matchings. 
We also prove that two natural further extensions of the result of Fellows et al. are 
impossible subject to a widely-accepted complexity-theoretical hypothesis. 

In the next section, we introduce the workflow satisfiability problem. In Section [3] 
we provide a brief introduction to fixed-parameter tractability, prove a general result 
characterizing the constraints for which WSP is fixed-parameter tractable, and apply 
this result to counting constraints. In Section [4] we extend the results of Wang and Li, 
by improving the complexity of the algorithms used to solve WSP and by introducing 
constraints based on equivalence relations. In Section [5] we introduce a model for an 
organizational hierarchy and a class of constraint relations defined in terms of such 
hierarchies. We demonstrate that WSP remains fixed-parameter tractable for work- 
flow specifications that include constraints defined over an organizational hierarchy. 
In Section [6j we discuss kernelization of WSP and prove that in an important special 
case, in polynomial time, we can transform the given input into an equivalent one, 
where the number of users is at most the number of steps. We also show that no poly- 
nomial transformation exists for two natural extensions of this case, which bounds the 
number of users by a polynomial in the number of steps, unless a certain complexity- 
theoretical assumption fails. The paper concludes with a summary of our contributions 
and discussions of related and future work. 

2. THE WORKFLOW SATISFIABILITY PROBLEM 

In this section, we introduce our notation and definitions, derived from earlier work 



by Crampton [2005 1 and Wang and Li [2010], and then define the workflow satisfiabil- 
ity ^roEIem 

A partially ordered set (or poset) is a pair (X, <), where < is a reflexive, anti- 
symmetric and transitive binary relation defined over X. If (X, is a poset, then 
we write x \\ y if x and y are incomparable; that is, x £ y and y £ x. We may write 
x ^ y whenever y ^ x. We may also write x < y whenever x ^ y and x ^ y. Finally, we 
will write [n] to denote {1, . . . , n}. 

Definition 2.1. A workflow specification is a partially ordered set of steps (S, <). An 
authorization policy for a workflow specification is a relation A C S x U. A workflow 
authorization schema is a tuple (S,U,^,A), where (S, <) is a workflow specification 
and A is an authorization policy. 

If s < s' then s must be performed before s' in any instance of the workflow; if s || s' 
then s and s' may be performed in either order. Our definition of workflow specification 
does not permit repetition of tasks (loops) or repetition of sub-workflows (cycles). User 
u is authorized to perform step s only if (s, u) e A^\ We assume that for every step s e S 
there exists some user u e U such that (s,u) e A. 

Definition 2.2. Let (S, U, < , A) be a workflow authorization schema. A plan is a func- 
tion 7r : S — > U. A plan tt is authorized for (S, U, A) if (s, n(s)) e A for all s e S. 

The access control policy embodied in the authorization relation A imposes restric- 
tions on the users that can perform specific steps in the workflow. A workflow autho- 
rization constraint imposes restrictions on the execution of sets of steps in a workflow. 



3 In practice, the set of authorized step-user pairs, A, will not be defined explicitly. Instead, A will be inferred 
from oth er access control da ta structures. In particular, R 2 BAC - the role-and-relation-based access control 
model of Wang and Li [2010 1 - introduces a set of roles R, a user-role relation UR C U x R and a role-step 
relation SA C R x S from which it is possible to derive the steps for which users are authorized. For all 
common access control policies (including R 2 BAC), it is straightforward to derive A. We prefer to use A in 
order to simplify the exposition. 



ACM Journal Name, Vol. V, No. N, Article A, Publication date: January YYYY. 



On the Parameterized Complexity and Kernelization of the Workflow Satisfiability Problem A:5 

A constraint is denned by some suitable syntax and its meaning is provided by the 
restrictions the constraint imposes on the users that execute the sets of steps denned 
in the constraint. In other words, constraint satisfaction is denned with reference to 
a plan; a valid plan is one that is authorized and allocates users in such a way that 
the constraint is satisfied. A very simple example of a constraint is one requiring that 
steps s and s' are executed by different users. Then a valid plan n (with respect to this 
constraint) has the property that n(s) ^ 7r(s'). A constrained workflow authorization 
schema is a tuple (5, U,^,A,C), where C is a set of workflow constraints^ A plan is 
valid for an authorization schema if it is authorized and satisfies all constraints in C. 
We define particular types of constraints in Section [2721 and [2731 

We may now d efine the workflow satisfiability problem, as defined 
by |Wang and Li [2010) . 



Workflow Satisfiability Problem (WSP) 

Input: A constrained workflow authorization schema (5, U,^,A, C) 
Output: A valid plan it : S -> U or an answer that there exists no valid plan 



We will write c, n and k to denote the number of constraints, users and steps, re- 
spectively, in an instance of WSP. We will analyze the complexity of the workflow 
satisfiability problem in terms of these parameters. 

2.1. Applications of WSP 

An algorithm that solves WSP can be used by a workflow management system in one 
of three ways, depending on how users are allocated to steps in an instance of the 
workflow. Some systems allocate an authorized user to each step when a workflow 
instance is generated. Other systems allocate users to only those steps that are ready 
to be performed in an instance of the workflow. (A step is ready only if all its immediate 
predecessor steps have been completed.) The third possibility is to allow users to select 
a step to execute from a pool of ready steps maintained by the workflow management 
system. 

For the first type of system, it is important to know that a workflow is satisfiable and 
an algorithm that solves WSP can simply be used as a static analysis tool. The NP- 
hardness of the problem suggests that the worst-case run-time of such an algorithm 
will be exponential in the size of the input. Hence, it is important to find an algorithm 
that is as efficient as possible. 

For the second and third cases, the system must guarantee that the choice of user to 
execute a step (whether it is allocated by the system or selected by the user) does not 
prevent the workflow instance from completing. This analysis needs to be performed 
each time a user is allocated to, or selects, a step in a workflow instance. The ques- 
tion can be resolved by solving a new instance of WSP, in which those steps to which 
users have been allocated are assumed to hav e a single a uthorized user (namely, the 
user that has been allocated to the task) [Crampton 2005, §3.2]. Assuming that these 
checks should incur as little delay as possible, pa rticularly in the case when users se- 
lect steps in real time [Kohler and Schaad 2008], it becomes even more important to 
find an algorithm that can decide WSP as efficiently as possible. 

The definition of workflow satisfiability given above assumes that the set of users 
and the authorization relation are given. This notion of satisfiability is appropriate 
when the workflow schema is designed "in-house". A number of large information tech- 
nology companies develop business process systems which are then configured by the 



4 T he set of constr aints defines what has been called a history-dependent authorization pol- 
icy I Basin et al. 2012 1; the relation A defines a history-independent policy. 
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end users of those systems. Part of that configuration includes the assignment of users 
to steps in workflow schemas. The developer of such a schema may wish to be assured 
that the schema is satisfiable for some set of users and some authorization relation, 
since the schema is of no practical use if no such user set and authorization relation 
exist. The desired assurance can be provided by solving an instance of WSP in which 
there are k users, each of which is authorized for all steps. The developer may also 
determine the minimum number of users required for a workflow schema to be satisfi- 
able. The minimum number must be between 1 and k and, using a binary search, can 
be determined by examining [log 2 fc] instances of WSP. 

2.2. Constraint Types 

In this paper, we consider two forms of constraint: counting constraints and entail- 
ment constraints. A counting constraint has the form (t e ,t r ,S r ), where 1 < t e < 
t r ^ k and 5' C 5. A counting constraint is a generalization o f the cardinality con- 
straints introduced in the RBAC96 m odel llSandhu et al. 19961 and widely adopted 
by subsequent access control mode ls HAmeric an Nati onal Standards Institute 2004 ; 
IBertino et al. 2001llJoshi et al. 20051 . 

A plan tt : 5 — >• L satisfies counting constraint (t(,t r , 5') if a user performs either 
no steps in 5' or between tt and t r steps. In other words, no user is assigned to more 
than t r steps in 5' and each user (if involved in the execution of steps in 5') must 
perform at least tt steps. Many requirements give rise to counting constraints of the 
form (£, t, 5'), which we will abbreviate to (t, 5'). A number of requirements that arise 
in the literature and in practice can be represented by counting constraints. 

Separation of duty. The constraint (1, {s', s"}) requires that no user executes both s' 
and s". More generally, the constraint (1, |5'| — 1, 5') requires that no user executes 
all the steps in 5'. 

Binding of duty. The constraint (2, {s', s"}) requires that the same user executes 
both s' and s". More generally, the constraint (|5'| , 5') requires that all steps in 5' 
are executed by the same user. 

Division of duty. The constraint (|J5'| /v\ , \\S'\ /v] , 5') requires that the steps in 5' 
are split as equally as possible between v different users. The special case (1,5') 
requires that a different user performs each step in 5'. 

Threshold constraints. The constraint (1, t, 5') requires that no user executes more 
than t steps in 5'0 

Generalized threshold constraints. The constraint (t e , t r , 5') requires that each user 
(involved in the execution of steps in 5') performs between t t and t r of those steps. 

Counting constraints are not able to encode certain types of requirements. For this 
reason, we also consider entailment constraints, which have the form (p, 5', 5"), where 
p C U x U and 5', 5" C 5. A plan tt satisfies entailment constraint (p, 5', 5") if and only 
if there exists s' e 5' and s" e 5" such that (■k(s'),tt(s")) e p. A plan tt satisfies a set 
of constraints C (which may be a mixture of counting and entailment constraints) if tt 
satisfies each constraint in C. 

Counting constraints represent "universal" restrictions on the execution of steps (in 
the sense that every user in a plan must satisfy the requirement stipulated). In con- 
trast, entailment constraints are "existential" in nature: they require the existence of 



5 These constraints are si milar in str ucture and analogous in meaning to SMER (statically, mutually- 
exclusive, role) constraints |Li et al. 2007|; the SMER constraint (t, S') requires that no user is authorized 
for t or more roles in the set of roles S '. These constraints are also similar to the cardinality constraints 
defined in RBAC96 | Sand huetal. 19961 . 
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a pair of steps for which a condition on the two users who execute those steps (defined 
by the binary relation p) is satisfied. 

We could write 5 to the denote the diagonal relation {(u, u) : u e U} and 5 to de- 
note (U x U) \ 8. However, we will prefer to use the less formal, but more intuitive, 
notation &,S',S") and (=,S',S") to denote the constraints (S,S',S") and (5,S',S"), 
respectively 

There are some requirements that can be represented by a counting constraint or an 
entailment constraint. The counting constraint (1, {si, s 2 }), for example, is satisfied by 
plan 7r if and only if the entailment constraint {si} , {s 2 }) is satisfied. We say that 
two constraints 7 and 7' are equivalent if a plan n satisfies 7 if and only if it satisfies 7'. 
Thus (1, {si, s 2 }) is equivalent to (7^, {si} , {52})- Similarly, (2, {s\, s 2 }) is equivalent to 
(=, {si} , {s 2 }). Nevertheless, there is no counting constraint (or set of such constraints) 
that is equivalent to (=,Si,S 2 ). Equally, there is no entailment constraint (or set of 
such constraints) that is equivalent to (t, S'). 

2.3. Entailment Constraint Subtypes 

Previous work on workflow satisfiability has not considered counting constraints. 
Moreover, our definition of entailment constraint is more general than prior defini- 
tions. Thus, we study more general constraints for WSP than have been investigated 
b efore. 

Crampton [2005 1 defined entailment constraints in which S± and S 2 are singleton 
sets: we will refer to constraints of this form as Type 1 co nstraints; for brevit y we will 
write (p, si,s 2 ) for the Type 1 constraint (p, {si} , {52})- [Wang and Li [2010[ defined 
constraints in which at least one of Si and S 2 is a singleton set: we will refer to con- 
straints of this form as Type 2 constraints and we will write (p, si,S 2 ) in preference 
to (p, {si} , S2). The Type 2 constraint (p, si, S 2 ) is equivalent to (p, S2, si) if p is sym- 
metric, in which case we will write (p, si, S 2 ) in preference to (p, S 2 , si). Note that both 
5 and S are symmetric binary relations. Constraints in which Si and S 2 are arbitrary 
sets will be called Type 3 constraints. 

We note that Type 1 constraints can express requirements of the form described in 
Section [H where we wish to restrict the combinations of users that perform pairs of 
steps. The plan n satisfies constraint (=, s, s'), for example, if the same user is assigned 
to both steps by n, and satisfies constraint (7^, s, s') if different users are assigned to s 
and s'. 

Type 2 constraints provide greater flexibility, although Wang and Li, who intro- 
duced these constraints, do not provide a use case for which such a constraint 
would be needed. However, there are forms of separation-of-duty requirements that 
are most naturally encoded using Type 3 constraints. Consider, for example, the 
requi rement that a set o f steps S' C S must not all be performed by the same 
user HArmando et al. 2 0091. We may encode this as the constraint (^=,S',S'), which 
is satisfied by a plan it only if there exists two steps in S' that are allocated to different 
users by 7r0The binding-of-duty constraint (=, S", S") cannot be directly encoded using 
Type 2 constraints or counting constraints. 

Now consider a business rule of the form "two steps must be performed by mem- 
bers of the same organizational unit". The constraint relations = and =/= do not allow 
us to define such constraints. In Section |4l we model constraints of this form using 



6 It is interesting to note that a Type 3 constraint (^, S' , S") can be encoded as a Type 2 constraint, thereby 
providing retrospective motivation for the introduction of Type 2 constraints by Wang and Li. In particular, 
we may encode (j^, S' , S") as (j^, s, S' U S" \ {s}) for some s 6 S" U S". The equivalence of these two 
constraints is left as an exercise for the interested reader. (Note that we may also encode this requirement 
as the counting constraint (1, \S'\ — 1, 5').) 
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equivalence relations denned on the set of users. In Section \5\ we introduce a model 
for hierarchical organizational structures, represented in terms of multiple, related 
equivalence relations defined on the set of users. We then consider constraints derived 
from such equivalence relations and the complexity of WSP in the presence of such 
constraints. 

Henceforth, we will write WSP(pi, . . . ,p t ) to denote a special case of WSP in which 
all constraints have the form (pi,S',S") for some pi € {pi,...,pt} and for some 
S", S" C S. We will write WSP^pi, . . . ,p t ) to denote a special case of WSP(pi, . . . , p t ), 
in which there are no constraints of Type j for j > i. So WSPi(=,^), for example, 
indicates an instance of WSP in which all constraints are of Type 1 and only includes 
constraints of the form (=, s±, s 2 ) or s±, s 2 ) for some s ll s 2 E S. For ease of exposi- 
tion, we will consider counting constraints and entailment constraints separately. Our 
results, however, hold when a workflow specification includes both types of constraints. 



3. WSP AND FIXED-PARAMETER TRACTABILITY 

In order to make the paper self-contained, we first provide a short overview of param- 
eterized complexity, what it means for a problem to be fixed-parameter tractable, and 
summarize the results obtained by Wang and Li for WSP. We then introduce the notion 
of an eligible set of steps. The identification of eligible sets is central to our method for 
solving WSP. In the final part of this section, we state and prove a "master" theorem 
from which a number of useful results follow as corollaries. The master theorem also 
provides useful insights into the structure of constraints that will result in instances 
of WSP that are fixed-parameter tractable. 



3.1. Parameterized Complexity 

A naive approach to solving WSP would consider every possible assignment of users 
to steps in the workflow. There are n k such assignments if there are n users and k 
steps, so an algorithm of this form would have (worst-case) complexity 0(cn k ), where 
c is the number of constraints. Moreover, Wang and Li showed that WS P is NP-hard, 
by reducing Graph £>Colorability to WSP(^) [W ang and Li 2010[ Lemma 3]. In 
short, WSP is hard to solve in general. The importance of finding an efficient algo- 
rithm for solving WSP led Wang and Li to look at the problem from the perspective of 
parameterized complexity [Wang and Li 2010[ §4]. 

Suppose we have an algorithm that solves an NP-hard problem in time 0(f(k)n d ), 
where n denotes the size of the input to the problem, k is some (small) parameter of 
the problem, / is some function in k only, and d is some constant (independent of k 
and n). Then we say the algorithm is a fixed-parameter tractable (FPT) algorithm. If a 
problem can be solved using an FPT algorithm then we say that it is an FPT problem 
and that it belongs to the class FPT. 

Wang and Li showed, using an elementary argument, that WSP 2 (^) is FPT 
and can be s olved in time Q(k k+1 N), where N is the size of the entire input to 



the p roblem [ Wang and Li 2010[ Lemma 8]. They also showed that WSP 2 (^,=) is 
FPT [Wa ng and Li 2010[ Theorem 9], using a rather more complex approach: specif- 
ically, they constructed an algorithm that runs in time 0{k k+1 (k - l) k2 N); it follows 
that WSP 2 (=,^)is FPT. 

When the runtime 0(f(k)n d ) is replaced by the much more powerful 0(n^ k ^), we ob- 
tain the class XP, where each problem is polynomial-time solvable for any fixed value 
of k. There is an infinite collection of parameterized complexity classes, W[l], W[2], . . . , 
with FPT C W[l] C W[2] C • • • C XP. Informally, a parameterized problem belongs 
to the complexity class W[i] if there exists an FPT algorithm that transforms every 
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instance of the problem into an instance of WEIGHTED CIRCUIT SATISFIABILITY for 
a circuit of weft i. It can be shown that FPT is the class W[0]. The problems Inde- 
pendent Set and Dominating Set are in W[l] and W[2], respectively. It is widely- 
believed and often assumed that FPT ^ W[l]. For a mor e formal introduction to the W 
f amily of complexity c lasses, see |Flum and Grohe [2 006 1 . 



Wang and Li [2010 Theorem 10] proved that WSP (for arbitrary relations de- 
fined on the user set) is W[l]-hard in general, using a reduction from INDEPEN- 
DENT Set. By d efinition, FPT is a subset of W[l] and a parameterized analog of 
Cook' s Theorem [[D owney and Fellows 1999 ] as well as the Exponential Time Hypoth- 
esis [Flum a nd Grohe 2006t |jmpagliaz zo et al. 2001) strongly support the widely held 
view that FPT is not equal to W[1J. One of the main contributions of this paper is to 
extend the set of special cases of WSP that are known to be FPT. 

Henceforth, we often write 0(T) instead of 0(T \og d T) for any constant d. That 
is, we use the notation O to suppress polylogarithmic fact ors. This notation is often 
used in the literatur e on algorithms — see, for example, B jorklund et al. [2009[ and 
Kaufman et al. [2004] — to avoid cumbersome runtime bounds. 

3.2. Eligible Sets 

The basic idea behind our results is to construct a valid plan by partitioning the set 
of steps S into blocks of steps, each of which is allocated to a single (authorized) user. 
More formally, let n be a valid plan for a workflow (S, U,^,A, C) and define an equiv- 
alence relation ~„. on S, where s ~ n s' if and only if 7r(s) = n(s'). We denote the set 
of equivalence classes of by S/n and write [s] w to denote the equivalence class con- 
taining s. An equivalence class in S/n comprises the set of steps that are assigned to 
a single user by plan -n. It is easy to see that there are certain "forbidden" subsets 
S' of S for which there cannot exist a valid plan n such that S' € S/tt. Consider, for 
example, the constraint s, s'): then, for any valid plan tt, it must be the case that 
[s] w ^ [s'] w ; in other words, there does not exist a valid plan n such that {s, s'} e S/n. 
This motivates the following definition. 

Definition 3.1. Given a workflow (S, U, <, A, C) and a constraint 7 e C, a set F C S 
is ^/-ineligible if any plan -n : S — > U such that F e S/ir violates 7. We say F is eligible 
if and only if it is not ineligible. We say F C S is C-ineligible or simply ineligible if F 
is 7-ineligible for some 7 e C. 

A necessary condition for a valid plan is that no equivalence class is an ineligible 
set; equivalently, every equivalence class in a plan must be an eligible set. For many 
constraints 7, we can determine whether F C S is 7-ineligible or not in time polynomial 
in the number of steps. Consider, for example, the requirement that no user executes 
more than t steps: then F C S is eligible if and only if |F| < t. Similarly, we can test for 
the ineligibility of F with respect to (7^, {s\, s 2 }) by determining whether F D {si, s 2 }. 

Definition 3.2. We say a constraint 7 is regular if any plan ir in which each equiva- 
lence class [a]„ is an eligible set satisfies 7. 

The regularity of a constraint is a sufficient condition to guarantee that we can con- 
struct a valid plan using eligible sets. With one exception, all constraints we consider 
are regular. 

PROPOSITION 3.3. All counting constraints are regular and all entailment con- 
straints of the form Si, S2) are regular. Entailment constraints of the form (—, Si, £2) 
are regular if at least one of Si and £2 is a singleton set. 

PROOF. The result is trivial for counting constraints. 
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Given an entailment constraint Si, S* 2 ), a plan tt in which all equivalence classes 
are eligible, and [s] ff for some s € Si U S 2 , we have that [s] w 2 Si U S 2 (since, by 
assumption, [s] ff is eligible). Hence, there exists an element s' e Si U S 2 with s' ^ [s] T . 
Since the equivalence classes in S/ tt form a partition of S, there exists an equivalence 
class [s'Jtt 7^ [s]jr. Hence, the constraint is satisfied (since each equivalence class is 
assigned to a different user). Thus the constraint is regular. 

We demonstrate, by exhibiting a counterexample, that a partition of S into eligible 
sets does not guarantee the satisfaction of a Type 3 constraint of the form (=, Si, S 2 ). 
Consider, for example, S = {si, s 2 , s 3 , s^} and the constraint (=, {si, s 2 } , {s 3 , s 4 }). Then 
{si} , . . . , {s 4 } are eligible sets, but a plan in which ui is assigned to s< is not valid. 

Finally, consider the Type 2 constraint (=, si, S2). Any eligible set for this constraint 
that contains si must contain an element of S 2 . Hence a partition of S into eligible 
sets ensures that the constraint will be satisfied (and hence that the constraint is 
regular). □ 



3.3. Reducing WSP to Max Weighted Partition 

We now state and prove our main result. We believe this result subsumes existing 
results in the literature on the complexity of WSP. Moreover, the result considerably 
enhances our understanding of the types of constraints that can be used in a workflow 
specification if we wish to preserve fixed-parameter tractability of WSP. We explore 
the consequences and applications of our result in Sections [4] and (5) 

THEOREM 3.4. Let W — (S, U,^,A, C) be a workflow specification such that (i) each 
constraint 7 is regular and (ii) there exists an algorithm that can determine whether 
F C S is ^-eligible in time polynomial in k. Then the workflow satisfiability problem for 
W can be solved in time 0(2 k (c + n 2 )). 

The proof of this result reduces an instance of WSP to an instance of the Max 



Weighted Partition problem, which, by a result of Bjorklu nd et al. [2009| |, is FPT 
We state the problem and the relevant result, before proving Theorem l3.4l 



Max Weighted Partition 
Input: A set S of k elements and n functions 4>i, i £ [n], from 2 s to integers from 
the range [-M,M] (M > 1). 
Output: An ra-partition (Fi, . . . , F n ) of S that maximizes J2i=i 4>i{Fi)- 



Theorem 3.5 ( [Bjorklund et al. [2009D ). Max Weighted Partition can be 
solved in time 0(2 k n 2 M). 



PROOF OF THEOREM [331 We construct a binary matrix with n rows (indexed by 
elements of U) and 2 fe columns (indexed by elements of 2 5 ): every entry in the column 
labeled by the empty set is defined to be 1; the entry indexed by u € U and F C S 
is defined to be if and only if F ^ is C-ineligible or there exists s e F such that 
(s, u) £ A. In other words, the non-zero matrix entry indexed by u and F defines a 
C-eligible set and u is authorized for all steps in F, and thus represents a set of steps 
that could be assigned to a single user in a valid plan. 

The matrix defined above encodes a family of functions {4>u\ u! =u, 4>u '■ 

2 s -> {0, 1}. We 

now solve Max Weighted Partition on input S and {4> u } ueU - Given that 4> U {F) < 1, 
J2ueu fiuiFu) < n, with equality if and only if we can partition S into different C- 
eligible blocks and assigned them to different users. Since each 7 is regular, W is 
satisfiable if and only if MWP returns a partition having weight n. 
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We now consider the complexity of the above algorithm. By assumption, we can 
identify the ineligible sets in 0(c ■ k d ■ 2 k ) = 0(c2 k ) time for some integer d independent 
of k and c. And we can check whether a user is authorized for all steps in F C S in 
O(k) time. Thus we can construct the matrix in 0(2 k ■n-k) = 0(2 k n) time. Finally, we 
can solve Max Weighted Partition in d(2 k n 2 ) time. Thus, the total time required 
to solve WSP for W is 0{2 k (c + n + n 2 )) = 0{2 k {c + n 2 )). □ 

THEOREM 3.6. WSP is FPT for any workflow specification in which all the con- 
straints are counting constraints. 

PROOF. A plan tt : S — >• L satisfies counting constraint 7 = (te,t r ,S ! ) if a user 
performs either no steps in 5" or between t e and t r steps. Hence, F C S is eligible if 
and only if tg < \F\ < t r , a test that can clearly be evaluated in 0(k) time. The result 
now follows by Proposition [513] and Theorem l3.4i □ 

While the above result appears easy to state and prove, nothing was known about 
the complexity of incorporating such constraints into workflow specifications. More- 
over, counting constraints can be used to encode (Type 1) e ntailment constrai nts of the 
form si, s 2 ) and WSPi(^) is known to be NP-complete [Wan g and Li 2 010, Lemma 
3]. Finally, counting constraints can encode requirements that cannot be expressed us- 
ing entailment constraints. Hence, WSP in the presence of counting constraints is at 
least as hard as WSPi(^). Therefore, there is no immediate reas on to suppose that 
WSP for counting constraints would be FPT. In short, Theorem |3.6| is non-trivial, thus 
demonstrating the power of Theorem 13 .41 

At first glance, it is perhaps surprising to discover that counting constraints have no 
effect on the fixed-parameter tractability of WSP. However, on further reflection, the 
structure of the proof of Theorem 13.41 suggests that any constraint whose satisfaction 
is phrased in terms of the steps that a single user performs can be incorporated into a 
workflow specification without comprising fixed-parameter tractability. 

It also becomes apparent that there are certain constraints whose inclusion may 
cause problems. Any constraint whose satisfaction is defined in terms of the set of users 
that perform a set of steps may be problematic. The requirement that a workflow be 
performed by at least three users, for example, cannot be encoded using the counting 
or entailment constraints we have defined in this paper. Moreover, it is difficult to 
envisage an eligibility test for such a constraint and, if such a test exists, whether 
it can be evaluated in time polynomial in k. However, we can express a constraint of 
this form as a counting constraint such that the original constraint is satisfied if the 
counting constraint is satisfied. Specifically, the requirement that a set of S' steps be 
performed by at least t users can be enforced by ensuring that each user performs no 
more than (|5'| - I) /it - 1) stepsQ 

4. ENTAILMENT CONSTRAINTS 

In this section we focus on workflow specifications that include only entailment con- 
straints. In doing so, we demonstrate further the power of Theorem l3.4i We also show 
that the time complexity obtained in Theorem 13.41 cannot be significantly improved 
even for a very special case of WSP. We conclude with a discussion of and comparison 
with related work. 



7 Of course, this means that certain plans that do not violate the original requir ement are inva lid. That is, 
the counting constraint "over-enforces" the original requirement. See the work o f|Li et al~[ 2007 1 for further 
details on constraint rewriting of this nature. 
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4.1. WSP(^) 

By Proposition |3]3l any constraint 7 of the form (^,Si,Su) is regular. Moreover, there 
exists an easy test to determine whether F C 5 is 7-ineligible. Specifically, F is 7- 
ineligible if and only if F D Si U S 2 , since any plan that allocated a single user to the 
steps in F would be invalid. Hence, we can determine in time polynomial in the sizes 
of F, Si and 5*2 (that is, in k) the eligibility of 7. 

THEOREM 4.1. WSP(^) can be solved in time d(2 k (c + n 2 )). 

PROOF. The result follows from Theorem 13 .41 and the fact that every constraint is 
regular and the eligibility of any constraint can be determined in time polynomial in 
k. □ 

Our next result asserts that it is imposs ible, assuming the well-known Exponential 
Time Hypothesis [Impagliazzo et al. 2001], to improve this result to any significant 
degree. 

Exponential Time Hypothesis 

There exists a real number e > such that 3-SAT cannot be solved in time 
0(2 en ), where n is the number of variables. 

THEOREM 4.2. Even if there are just two users, WSP2(^=) cannot be solved in time 
0(2 ek ) for some positive real e, where k is the number of steps, unless the Exponential 
Time Hypothesis fails. 

The proof of this result can be found in the appendix. 

4.2. WSP(=) 

Given a constraint 7 of the form (=, Si, #2), any set F that contains Si but no ele- 
ment of S2 is ineligible; equally, any set F that contains S2 but no element of Si is 
ineligible. Hence, we can determine 7-ineligibility in time polynomial in k (as we only 
require subset inclusion and intersection operations on sets whose cardinalities are 
no greater than k). How ever, a constraint 7 of the form (=, Si, S2) is not necessarily 
regular (Proposition l3.3l >. Nevertheless, we have the following result. 

THEOREM 4.3. WSP 2 (=) can be solved in time 0(2 k (c + n 2 )), where k is the number 
of steps, c is the number of constraints and n is the number of users. WSP(=) can be 
solved in time d(2 k+c (c + n 2 )). 

PROOF. The first result follows immediately from Theorem [33 and Proposition l3.31 
since the latter result asserts that constraints of the form (=, s±, S 2 ) are regular. 

To obtain the second result, we rewrite a Type 3 constraint (=, Si, S 2 ) as two Type 
2 constraints, at the cost of introducing additional workflow steps. Specifically, we re- 
place a Type 3 constraint (=, Si, S 2 ) with the constraints (=, Si, s new ) and (=, s new , S 2 ), 
where s ncw is a "dummy" step. Every user is authorized for s ncw . Observe that if we 
have a plan that satisfies (=, Si, S 2 ) then there exists a user u and steps si e Si and 
s 2 e S 2 such that 7r(si) = n(s 2 ). Hence we can find a plan that satisfies (=,Si,s ncw ) 
and (=, Snow, S 2 ): specifically, we extend n by defining 7r(s ncw ) = u. Similarly, if we have 
a plan that satisfies (=, Si, s ncw ) and (=, s new , S 2 ) then there exists a user u and steps 
si and s 2 such that u = 7r(s ncw ) = n(si) = 7r(s 2 ) and we may construct a valid plan for 
(=,Si,S 2 ). 

The rewriting of a (Type 3) constraint (=,Si,S 2 ) requires the replacement of one 
Type 3 constraint with two Type 2 constraints and the creation of one new step. In 
other words, we can derive an equivalent instance of WSP2(=) having no more than c 
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additional constraints and no more than c ad dition al steps. Since Type 2 constraints 
are regular, the result now follows by Theorem l4.1i □ 

Corollary 4.4. WSP(=) is FPT. 

Proof. We may assume without loss of generality that S± n S 2 = 0: the constraint 
is trivially satisfied if there exists s e Si nS^j since we assume there exists at least one 
authorized user for every step. Hence, the number of constraints having this form is 
no greater than £* =1 Q)2 k - j = 3 fe . Hence, WSP(=) is FPT, since we can replace 2 fe+c 

in the run-time by 2 k+3k , as required. □ 

4.3. WSP(=, and Related Work 

We can combine the results of the previous sections in a single theorem. Clearly, we 
could also incorporate counting constraints into this result. 

THEOREM 4.5. WSP(=, ^) can be solved in time 0{2 k+c (c + n 2 )). 

The special case of the workflow satisfiability problem WSP 2 (^) was stud- 
ied by Wang and Li from the perspective of fixed-parameter tractability; the 
complexity of their algorithm is 0(k k+1 N) = 2°( fclogfc )./V, wher e N is the size 
of the input [Wang and Li 2010, Lemma 8]. Fell ows et al. [20111 considered the 
fixed -parameter tractability of a special case of the constraint satisfaction prob- 
lem [Tsang 1993] in which all constraints have the same form; with these restric- 
tions, the constraint satisfaction problem is identical to WSPi(^). The algorithm 
of Fellows et al. has complexity 0(k\kn) = 2°^ klogk ^n, where n is the number of 
users I Fellow s et al. 20TT1 Theorem 3.1]. Our algorithm has complexity 0(2 k (c + n 2 )) = 
O(2 k+dlogk (c + n 2 )), where d — 0(1), which represents a considerable improvement in 
the term in k. 

More significantly, |Wang and Li [2010[ Theorem 9] showed that WSP 2 (^, =) is FPT; 

the complexity of their algorithm is 0(k k+1 (k — l) k2 n). Our algorithm to solve 

WSP 2 (=,t^) retains the complexity 0(2 k (c + n 2 )), which is clearly a substantial im- 
provement on the result of Wang and Li. Finally, we note that our results are the first 
to consider Type 3 constraints. 

4.4. Constraints Based on Equivalence Relations 

The work of |Crampton [2005[ §2] and of |Wang and Li [2010[ Examples 1, 2] has noted 
that a constraint of practical interest is that users performing two steps must be from 
the same department^ In the workflow illustrated in Figure Q] one might require, for 
example, that the two users who perform steps s 3 and s 5 belong to the same depart- 
ment. Note, however, that we will still require that these two users be different. More 
generally, we might wish to insist that the user who approves the purchase order (step 
s 2 ) belongs to the same department as the user who creates the order (step si). 

In short, there are many practical situations in which some auxiliary information 
defines an equivalence relation on the set of users (membership of department, for ex- 
ample) where we may wish to require that two steps are performed by users belonging 
to either the same equivalence class or to different equivalence classes. In this section, 
we introduce two relations that allow us to model organizational structures, in which 
users are partitioned (possibly at several levels) into different organizational units, 
such as departments. 



8 However, little is known about the complexity of the WSP when such constraints are used, a deficiency we 
address in the next section. 
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Given an equivalence relation ~ on U, a plan n satisfies the constraint (~,Si, Sa) if 
there exist si e Si and s 2 € S 2 such that n(si) and 7r(s 2 ) belong to the same equiva- 
lence class. Similarly, a plan ir satisfies the constraint (7^, Si, S 2 ) if there exist si e Si 
and S2 e S 2 such that n(si) and 7r(s 2 ) belong to different equivalence classes. Hence, 
the constraint (~, s 3 , s 5 ) would encode the requirement that the signing and counter- 
signing of the goods received note must be performed by users belonging to the same 
equivalence class (department, in this example). More generally, a constraint of the 
form (~, s, s') represents a weaker constraint than one of the form (=, s, s'), since more 
plans satisfy such a constraint. Conversely, a constraint of the form (<* , s, s') is stronger 
than (7^, s, s'), as it requires that the two users who perform s and s' are different and, 
in addition, they belong to different equivalence classes. 

THEOREM 4.6. For any user set U and any equivalence relation ~ defined on U, 
WSP(~,>/>) is FPT. 

Proof. Consider an instance of the problem W = (S, U, <, A, C) and let V\, . . . , V m 
be the equivalence classes of ~. Then consider the following workflow specification: 

W = (S, U',^,A',C), where 

— U' = {V 1 ,...,V m }; 

— A' C S x U' and (s, Vi) € A' if there exists u e Vi such that (s, u) e A; 

— each constraint of the form (~, Si, S 2 ) in C is replaced by (=, Si, S 2 ) in C; and 

— each constraint of the form (/, Si, S 2 ) in C is replaced by (7^, Si, S 2 ) in C . 
Observe that W is satisfiable if and only if W / is, and deciding the satisfiability of W 
isFPTbyTheoremOandCorollarygS □ 

Of course, we could also include counting constraints in the workflow specification. 
Let us assume, for ease of explanation, that an equivalence relation partitions a user 
set into different organizational units. 

Separation of duty. The constraint (1, {s', s"}) requires that users from different or- 
ganizational units perform s' and s". More generally, the constraint (1, \S'\ — 1, S') 
requires that no single unit executes all the steps in S'. 

Binding of duty. The constraint (2,{s',s"}) requires that users from the same or- 
ganizational unit execute both s' and s" . More generally, the constraint (|S'| , S') 
requires that all steps in S' are executed by users from the same unit. 

The other forms of counting constraints introduced in Section [2721 can be interpreted in 
analogous ways in the presence of an equivalence relation defined on the set of users. 

5. ORGANIZATIONAL HIERARCHIES 

We now show how we can use multiple equivalence relations to define an organiza- 
tional hierarchy. In Section |5.2[ we describe a fixed-parameter tractable algorithm to 
solve WSP in the presence of constraints defined over such structures. 

Let S be a set. An n-partition of S is an n-tuple (F x , . . . , F n ) such that Fi U • • • U F n = S 
and Fi n Fj = for all i 7^ j e [n] . We will refer to the elements of an n-partition as 
blocks^ 

Definition 5.1. Let (Xi, . . . , X p ) and (Yi, . . .Y q ) be p- and g-partitions of the same 
set. We say that (Yi, . . . Y q ) is a refinement of (X\, . . . , X p ) if for each i e [q] there exists 
j e [p] such that Y t C X 3 . 



9 One or more blocks in an n-partition may be the empty set. 
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Definition 5.2. Let U be the set of users in an organization. An organizational l- 
hierarchy is a collection of I partitions oft/, . . . , where U"> is a refinement of 

U {i+l) . 

The zth partition is said to be the ith level of the hierarchy. Each member of is a 
subset of U; we write to denote a block in the ith level of the hierarchy. 

A constraint of the form (~i,si,s 2 ), for example, is satisfied by plan it if 
7r(si),7r(s 2 ) € for some e U^. Note, however, that we may still define a con- 
straint (t^,si,s 2 ) which requires that the steps si and s 2 are performed by different 
users. 

More generally, a constraint of the form Si, S 2 ) is satisfied by plan tt if there 
exists si € 5i and s 2 e £2 such that tt(si) and 7r(s 2 ) belong to the same block in {/W. A 
constraint of the form (/i, Si, S 2 ) is satisfied by tt if there exist si e Si and s 2 € S 2 such 
that 7r(si) and 7r(s 2 ) belong to different blocks in J/W. Note that if tt satisfies S 2 ), 
then it satisfies (~j, Si, S 2 ) for all j > i. Conversely, if it satisfies (fa, Si, S 2 ), then it 
also satisfies (>/>j,Si, S 2 ) for all j < i. In other words, for each Si, S 2 C 5, we may and 
will assume without loss of generality that there is at most one constraint of the form 
SifSz) and at most one constraint of the form (^j,Si, S'2). 

We now introduce the notion of a canonical hierarchy. Informally, each level of a 
canonical hierarchy is different, the top level comprises a single block and the bottom 
level comprises the set of all singleton blocks. Two canonical hierarchies are shown 
in Figure HI in which a,...,j represent users and the rectangles define the partition 
blocks. Note that each level is a refinement of the one above. 
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Fig. 2. Two canonical organizational hierarchies 



More formally, we have the following definition. 

Definition 5.3. Let H = U^\...,U^\ where is a refinement of U {l+1 \ be a 
hierarchy. We say H is canonical if it satisfies the following conditions: (i) ^ 
(ii) £/w is a 1-partition containing the set U; (iii) is an n-partition containing every 
singleton set (from U). 

Let U (1 \ . . . , be some hierarchy and let C be a set of workflow constraints. We 
conclude this section by showing how we may convert the hierarchy into a canonical 
hierarchy by first removing duplicate levels, adding suitable top and bottom levels (if 
required), and making appropriate adjustments to C. More formally, we perform the 
following operations: 

— If f/W = for some i then we replace all constraints of the form Si, S2) 

and (fa + i,Si,Sz) with constraints of the form (^ i ,S'i,5 2 ) and (7^, 81,82), respec- 
tively. We then remove from the hierarchy as there are now no constraints 
that apply to U {l+1 \ 
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— If no partition in the hierarchy has one element (consisting of a single block U), 
then add such a partition to the hierarchy. Clearly every partition is a refinement 
of the 1-partition (U). 

— If no partition in the hierarchy has n elements, then add such a partition to the 
hierarchy Clearly such a partition is a refinement of every other partition. 

— Finally, we renumber the levels and the constraints where appropriate with con- 
secutive integers. 

The conversion of a hierarchy to canonical form can be performed in 0(£n + c) time 
(since we require 0(£n) time to find all layers that may be deleted and then delete 
them, and O(c) time to update the constraints). The number of levels in the resulting 
canonical hierarchy is no greater than £ + 2. 

5.1. Organizational Hierarchies from Management Structures 

We now illustrate how organization hierarchies may be constructed in a systematic 
fashion from management structures. Given a set of users U, we assume that an orga- 
nization defines a hierarchical binary relation > on U in order to specify management 
responsibilities and reporting lines. We assume that the Hasse diagram of (U, is a 
directed tree in which non-leaf nodes represent users with some managerial responsi- 
bility and edges are directed from root node to leaf nodes. Let G man = (U, E ma _ n ) denote 
the Hasse diagram of (U, The fact that G man is a tree means that no user has more 
than one manager. A user u has direct responsibility for (or is the line manager of) user 
v if (u, v) e i?man- We also assume that the out-degree of a non-leaf node is at least two. 

We now describe one method by which an organizational hierarchy may be derived 
from a management tree. Given a management tree G man we iteratively construct 
management trees with fewer and fewer nodes as follows: 

(1) we first identify every sub-tree in which there is a single non-leaf node; 

(2) for each such sub-tree we form a single leaf node whose label is formed from the 
labels for the respective leaf nodes; 

(3) for each resulting sub-tree we form a single node whose label is formed from the 
labels of the child and parent nodes. 

We then repeat for the resulting tree, terminating when we have a tree containing a 
single node. 

The above procedure is illustrated in Figure |3j The figure shows a sequence of trees, 
the first of which defines the management tree in which each node is labeled with a 
single user. Each management tree thus derived is associated with a partition; the 
corresponding partition of U is written below each tree in Figure [U with a vertical 
bar indicating the block boundaries. By construction, the collection of partitions forms 
a canonical organizational hierarchy. The organizatio nal h ierarchy derived from the 
management tree in Figure [3] is displayed in Figure |2(a)| Note that the number of 
levels in the organizational hierarchy is equal to 2p + l, where p is the number of edges 
in the longest directed path in G man . 

Having constructed the organizational hierarchy, we may now define constraints on 
step execution. We will use our purchase o rder w orkflow from Figure Q] as an example 
and the organizational hierarchy in Figure [2(a)[ 

We could, for example, define the constraint (~5, si, s 2 ). In the absence of other con- 
straints, this constraint means that users from the set {a, b, c, d} or {e, /, g, h, i} (which 
we might suppose represent two distinct departments within the management struc- 
ture) or user j could raise (step si) and approve (step s 2 ) purchase orders, but an 
attempt by a user from one department to approve an order raised by a member of 
another department would violate the constraint. 

We could define a second constraint (of 4) si , s 2 ), which means that user i must per- 
form one of si and s 2 (and also means that no user from {a, b, c, d, j} can perform either 
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Fig. 3. Building the blocks of an organizational hierarchy from a management tree 



si or S2 because there would be no way to simultaneously satisfy constraints (~5, si, S2) 
and (<*4, si, s 2 )). If we assume that junior members of the department (users e, /, g and 
h) are not authorized to approve purchase orders, the collective effect of the two con- 
straints above and the authorization policy is to require that (a) purchase orders are 
only approved by managers, and (b) purchase orders are only raised by junior members 
of staff. 

Pursuing the last point briefly, it has long been recognized that a limitation of role- 
based access control is the "feature" that (senior) users a ssigned to the most pow erful 
roles accrue all the permissions of more junior roles (see Moffett and Lupu [1999], for 
example). It is interesting to note that the constraints and the method of construct- 
ing an organizational hierarchy described above can be used to restrict the steps that 
senior managers can perform. 

In summary, we believe that our definition of organizational hierarchy provides an 
appropriate way of modeling hierarchical management structures and supports the 
speci fication of constraints that provide greater flexib ility than those in the litera- 
ture HBertino et al. 19991 Crampton 2005; Wang and Li 2010 ], which have focused on 
constraints involving only = and ^. Moreover, as we will see in the next section, the 
complexity of WSP for these new constraints remains fixed-parameter tractable. 

Finally, we note that there are several ways in which the construction of an orga- 
nizational hierarchy from a management tree described above could be modified. At 
each iteration we could, for example, collapse the root node and all the leaf nodes into 
a single node. In doing so, we remove the distinction between the line manager of an 
organizational unit and the remaining members of the unit. If we adopt this approach 
for the m anag ement tree in Figure [3l we derive the organizational hierarchy shown 
in Figure |2(b)] Clearly this construction results in fewer layers in the organizational 
hierarchy (equal to p + 1, where p is the length of the longest directed path in the 
management tree) and, therefore, supports fewer choices of workflow constraints. 

Each method will give rise to different organizational hierarchies, some with more 
levels, some with fewer, with each hierarchy allowing for the specification of a differ- 
ent set of constraints. The method used to construct an organizational hierarchy will 
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usually depend on the workflow, the organization and the type of constraints that are 
required. An alternative approach to both those described above would be to "stratify" 
the management tree into levels and, working from the bottom level up, collapse all de- 
partments at a specific level into single nodes. Using the management tree in Figured 
for example, the users / and g form the lowest level in the stratified tree and would 
be merged into a single unit first; this would be followed by the merging of users a, b 
and c and of e, /, g and h. The resulting canonical hierarchy will be rather similar to 
the one depicted in Figure [2(a)! although the departments will form at different levels 
in the new hierarchy The study of such hierarchies and the utility of the constraints 
that can be defined over them will be the subject of future work. 

5.2. Organizational Hierarchy Constraints 

We have seen that if we are given a single equivalence relation and only use the 
binary relations ~ and / then WSP2(^,t^) may be transformed into an instance of 
WSP 2 (=,t^), which is known to be FPT. We prove in Theorem I5.4I that the problem 
remains in FPT for organizational hiera rchie s with £ levels (defi ned by I equivalence 
relations). In fact, the results in Theorem |4.1| and Proposition ^. 61 correspond to special 
cases of Theorem [531 in which the hierarchy has two levels. Figure |4]illustrates these 
hierarchies, where each user is represented by an unfilled circle and blocks of users 
are enclosed by a rectangle. Conversely, it is these special cases that provide the foun- 
dation for the bottom-up iterative method that we use in the proof of Theorem 15.41 to 
solve WSP for more complex hierarchical structures. 

















































(b) Non-trivial equivalence relation 
Fig. 4. Two-level hierarchies 



Recall Wang and Li proved that WSP is not FPT, in general. One crucial factor in 
determining the complexity of WSP is the nature of the binary relations used to define 
entailment constraints. Informally, Wang and Li showed that for a particular choice of 
relational structure on the user set, WSP is an instance of Independent Set, which 
is known to be W[l]-complete. Constraints based on equivalence relations, however, 
do not compromise the fixed parameter tractability of WSP because of the particular 
structure that is imposed on the user set — namely, a partition into no more than 2 k 
blocks. 

Before proving the main result of this section, we consider canonical hierarchies 
with exactly three levels. There are several reasons for doing so: 

— if we are given a non-trivial equivalence relation ~ and we are interested in 
WSP(=, 7^, ~, »f) then there are three levels in the organizational hierarchy; 

— constraints containing ~ and have useful applications for many types of autho- 
rization policies; and 

— three-level hierarchies represent the "tipping point" at which WSP becomes hard, 
in the sense that no polynomial kernel exists (see Section [6]). 

There are several situations in which we may have a single non-trivial equivalence 
relation. Perhaps the most obvious one arises when a set of users is grouped into dis- 
tinct departments or organizational units, as we have previously noted. Other possi- 
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bilities arise from a natural re-interpretation of the authorization relation A C S x U: 
specifically, we define u ~a u' if and only if u and v! are authorized for the same 
workflow steps. Then there are a maximum of 2 fe equivalence classes (each associ- 
ated with a particular s ubset of workflow steps). In a role-based view of authoriza- 
tion [Sandhu et al. 1996], a set of permissions (such as execution of workflow steps) 
defines a role. With this interpretation, a constraint of the form (~,si,s 2 ) requires 
that si and s 2 are performed by users that are assigned to the same role(s), with an 
analogous interpretation for s 1; s 2 )E3 

We may also consider an authorization policy that associates users and 
workflow steps with a secu rity label, as in the Bell-LaPadula security 
model HBell a nd LaPadula 19761. More formally, let be a partially ordered 

set of security labels and A : U U S -» L a function that associates each user and 
step with a security label. Then a user is authorized to perform step s if and only 
if (s,u) e A and X(u) ^ A(s). Clearly ~ A , where u ~\ u' if and only if X(u) = X(u') 
is an equivalence relation. The constraint (~,si,s 2 ) requires that steps si and s 2 be 
performed by users with the same security clearance. In short, there seem to be a 
number of situations in which the use of constraints defined by equivalence relations 
will be useful. 

THEOREM 5.4. Given a workflow (S,U,^,A,C) and a canonical hierarchy with £ 
levels, WSP 2 (^i, T^i, . . . , can be solved in time 0(3 fc n(c + n)), where n, k and c 

are the numbers of users, steps and constraints, respectively. 

Theorem |4.1| is, essentially, a special case of the above result, in which the canonical 
hierarch y con tains two levels, where = ({ui} , . . . , {u n }) and = (U). To prove 
Theorem 15.41 we identify particular types of blocks in the hierarchy (those shaded in 
Figure [5) and solve multiple instances of WSP for each of those "significant" blocks. 
The results for significant blocks at a particular level are then used to solve instances 
of WSP for significant blocks at higher levels in the hierarchy. 
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Fig. 5. The canonical hierarchy of Figure [3] with its significant blocks shaded 

Proof of Theorem |5.41 Each level in a canonical hierarchy is a refinement of the 
one below it and no two levels are equal, so we have n = \U^\ > ■ ■ ■ > \U^\ = 1, and 
we may conclude that I ^ n. 

We say V e is significant if V g U^ 1 ^. We define the level range of V to be an 
interval [a, b], where a is the least value i such that V £ and b is the largest value % 
such that V £ The level range of block {a, b, c, d} in Figure[5]is [3, 5], for example. 

Each significant block V with level range [a,b], a > 1, can be partitioned into blocks 
in level (a — 1). We denote this set of blocks by A(V). Each significant block V with 



10 Of course, we could replace A with user- and permission-role assignment relations, but we could still 
derive the same equivalence classes. 
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level range [1,6] comprises a single user (see Figured). It is easy to see that the graph 
G = (V, E), where V is the set of significant blocks and (Vi , V 2 ) € E if Vi € A(V 2 ), is a 
tree, in which the leaf nodes are blocks with level range [1, 6] for some 6 < I. 

Given an instance X of WSPa(~i, r f\, ■ ■ ■ ^i), every subset F of 5 and every sig- 
nificant block V with children A(V) defines an instance of WSP in which: 

— the set of steps is F; 

— the set of users is A(V); 

— the authorization relation A' is a subset of F x A(V), where (s, W) € A' if and only 
if there exists a user in v e W such that (s, v) € A; 

— the set of constraints comprises those constraints in C of the form (p, 5*1,52), where 
p is ~j or with a < i < 6. 

We denote this derived instance of WSP by Xpy, Note that if V has level range [1,6], 
then Xpy asks whether a single user is authorized to perform all the steps in F without 
violating any constraints defined between levels 1 and 6 of the hierarchy If V has level 
range [a, 6], with a > 1, then Xpy is solved using the approach similar to that described 
in the proof of Theorem l3 .41 When building the matrix, the entry indexed by G C F and 
W is defined to be if and only if G is ineligible or Xq,w is a no-instance of WSP. 
Thus, a non-zero matrix entry indicates the steps in F could be assigned to the block 
W (meaning that no constraints in levels 1, . . . , a — 1 would be violated) and that no 
constraints would be violated in levels a, . . . , 6 by allocating a single block to F. Hence, 
we can solve Xpy if we can solve 1f,w for all W € A(V). 

Note, finally, that U is a significant set and a solution for Is.u is a solution for X. 
Thus our algorithm for solving X solves Xpy for all significant sets V with level range 
[a, 6] from a = 1 to a = £ and all subsets F of 5. 

We now consider the complexity of this algorithm. Consider the significant block V 
with m children. If m = then V = {u} for some u e U and solving Xpy amounts to 
identifying whether F is an eligible set and whether u is authorized for all steps in 
F. For fixed V (with m — 0), solving Xpy for all F C 5 takes time 0(2 k c). There are 
exactly n significant sets, one per user, with no children. If m > then the time taken 
to solve Xpy is 0(2l f l (c + m 2 )), by Theorem l4.ll Hence the time taken to solve Xpy for 
all F C 5 (for fixed V) is 0(3 k (c + m 2 )). As we observed earlier, the set of significant 
blocks ordered by subset inclusion forms a tree. Moreover, every non-leaf node in G 
has at least two children, which implies that G has no more than 2n — 1 nodes (so 
|V| < 2n — 1), so there are at most n — 1 significant sets with 2 or more children. 

The total time taken, therefore, is 

0{2 k cn) + 0(3 fc (c + m 2 v ) = d(3 k cn) + ^ 0(3 k m 2 v ), 
vev vev 

where ray denotes the number of children of V. 
Now for some 6 ^ 0, we have 

0{m 2 v ) = ^ 0((m v \og b m v ) 2 ) < maxlog 2b m y ^ 0(m 2 v ) = 0(n 2 \og 2b n) = 0(n 2 ). 
vev vev VeV vev 

Hence, we conclude that the total time taken to compute 4>v for all V is 0(3 k cn + 
3 k n 2 )) = 0(3 k n(c + n)). □ 

Remark 5.5. The algorithm in the above proof can be optimized by computing a 
single matrix for each significant set V (with rows indexed by A(V) and columns in- 
dexed by subsets of 5), which can be used to solve Xpy for all F C 5. This matrix can 
be built in time 0(cm2 k ) and the solution to Xpy, for F C 5, can be computed in time 
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0(2l F lm 2 ). Hence, the optimized algorithm runs in time 0(cm2 k + m 2 3 fc ), for fixed V, 
and in time 0(cn2 k + n 2 3 fc ) overall. 

THEOREM 5.6. Let define a canonical organizational hierarchy. Let 

W = (S, U, ^, A, C U U C/,) be a workflow, where C is the set of Type 2 constraints, 
is the set of Type 3 constraints of the form (~;, Si, £2) and is the set of Type 3 
constraints of the form (9^, Si, S2). Then the satisfiability ofW can be determined in 
time 

d{{c + 2c')n2 k+c ' +n 2 3 fc+c '), 
where c = \C\ + \C^\ and c' = |CL|, Moreover, c' < 3 k , so WSP 3 (~i, . . . , /1, ... , 7^) 

The proof of this result can be found in the appendix. 
6. KERNELIZATION 

Formally, a parameterized problem P can be represented as a relation P C S* x N over 
a finite alphabet S. The second component is call the parameter of the problem. In par- 
ticular, WSP is a parameterized problem with parameter k, the number of steps. We 
denote the size of a problem instance {x, k) by |x| + k. In this section, we are interested 
in transforming an instance of WSP into a new instance of WSP whose size is de- 
pendent only on k. This type of transformation is captured in the following definition. 

Definition 6.1. Given a parameterized problem P, a kernelization of P is an algo- 
rithm that maps an instance (x, k) to an instance (x', k') in time polynomial in \x\ + k 
such that (i) (x, k) e P if and only if (x', k') £ P, and (ii) k' + \x'\ < g(k) for some function 
g; (x', k') is the kernel and g is the size of the kernel. 

Note that a kernelization provides a form of preprocessing aimed at compressing 
the given instance of the problem. The compressed instance can be solved using any 
suitable algorithm (such as a SAT solver), not necessarily by an FPT algorithm. It is 
well-known and easy to prove that a decidab le parameterized problem is FPT if and 
only if it has a kernel [Fl um and Grohe 200611 . If g{k) = fc°W, then we say (x', k') is a 
polynomial- size kernel. 

Polynomial-size kernels are particularly useful in practice as they often allow us 
to reduce the size of the input of the problem under consideration to an equiv- 
alent problem with an input of significantly smaller size. This preprocessing of- 
ten allows us to solve the original problem more quickly. Unfortunately, many 
fixed-parameter tractable problems have no polynomial-size kernels (unless coNP C 
NP/poly, which is highly unlikely [B odlaend er et al. 2009[ [Bodlaende r et al. 2011a[ 
Bodlaend er et al. 2011b! IDom et al. 200911 ). 

In order to illustrate the benefits of kernelization, we first state and pr ove three 
simple results, the first two of which extend a result of Fellow s et al. [20 11]. We then 
show that WSPi(=, ^f) has a kernel with at most k users. 

PROPOSITION 6.2. WSP(^) has a kernel with at most k(k - 1) users. Moreover, a 
kernel with at most k(k — 1) users exists if we extend the set of constraints to include 
counting constraints of the form (1, t, S'). 

Proof. Let W = (S,U,^, A, C) be a workflow in which all constraints have the form 
(7^, Si, S 2 ). Let Seasy be the set of steps such that each step has at least k authorized 
users and let SWa be S \ S easy . Now consider the workflow Whard = (Shard! ^hard, ^ 
, ^4hard, C'hard), where u £ t/hard if and only if u is authorized for at least one step in 
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Shard, ^hard = (5*hard X U) C\ A, and Si, S 2 ) G C ha rd if and only if Si, S 2 ) € C and 
Si, S 2 C S'hard- A counting constraint of the form (1, t r , S') is replaced by the counting 
constraint (1, t r , S' \ S casy ). 

We now solve the WSP instance defined by WWd and show that this allows us to 
compute a solution for W. If WWd is a no instance, then W cannot be satisfiable either 
(since Chard C C). Conversely, if it is a yes instance, then there exists a plan 7r ha rd : 
•S'hard -> C^hard- Moreover, we can extend 7Th a rd to a plan ir : S — > U, so W is satisfiable. 
Specifically, we allocate a different user from U \ 7Th a rd( Shard) *° each step in s G Scasy 
(which is possible since there are at least k users authorized to perform s and only k 
steps in total) and define tt(s) = 7r h aid(s) for all s G Shard- Clearly, tt does not violate 
any constraint of the form f?£. Si , So) or (1. L S') F 1 ! 

In other words, we can solve WSP for by solving WSP for Whard, which has no 
more than k steps and each step has fewer than k authorized users. Hence, there can 
be no more than k(k — 1) authorized users in Whard- □ 

Corollary 6.3. WSPi(^) can be solved in time d(2 k ). 

Proof. The result follows immediately from Theorem 14. 1[ the fact that there can 
be no more than 0(k 2 ) Type 1 constraints, and the proposition above. □ 

Proposition 6.4. WSPi(^, =) has a kernel with at most k{k - 1) users. 

Proof. The basic idea is to merge all steps that are related by constraints of the 
form (=,si,s 2 ) for si,s 2 G S. More formally, consider an instance 2 of WSPi(=,^), 
given by a workflow (S, U, <, A, C). 

(1) Construct a graph H with vertices S, in which s', s" G S are adjacent if C includes 
a constraint (=, s', s"). 

(2) If there is a connected component of H that contains both s' and s" and C contains 
a constraint s', s") then I is unsatisfiable, so we may assume there is no such 
connected component. 

(3) For each connected component T of H, 

(a) replace all steps of T in S by a "superstep" t; 

(b) for each such superstep t, authorize user u for t if and only if u was authorized 
(by A) for all steps in t 

(c) for each such superstep t, merge all constraints for steps in t. 

Clearly, we now have an instance of WSPi(^), perhaps with fewer steps and a modified 
authorization relation, that is satisfiable if and only if I is satisfiable. The result now 
follows by Proposition [6J3 

The reduction can be performed in time 0(kc + kn), where c is the number of con- 
straints: step (1) takes time 0(k + c); step (3) performs at most k merges; each merge 
takes 0(k + c + n) time (since we need to merge vertices, and update constraints 
and the authorization relation for the new vertex 

set)E3 finally, if k < c we have 
0(k(k + c + n) = 0(k(c + n)), and if c < k then we perform no more than c merges 

in time 0(c(k + c + n)) = 0(ck + cn) = 0(ck + kn). □ 

THEOREM 6.5. WSPi(=,^) admits a kernel with at most k users. 

Pr oof. We first use the WSPi constraint reduction method from the proof of Propo- 
sition [63] to eliminate all constraints of the form (=, s',s"), leaving an instance X of 



11 Note that this is not true for counting constraints of the form (tg, t r , S') when > 1. 
12 We can check step (2) when we merge constraints in step 3(c). 
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WSPi(^). We now construct a bipartite graph G = (U, S; A), where A c S x U is the 
authorization relation. We may assume that \U\ ^ |5| = k. 

Let V = U U S. Using the well-known Hopcroft-Karp algorithm, we can find a max- 
imum matching M in G in time Q(-v/|y||.A|)P 5 l If M covers every vertex of S, then I is 
satisfiable and our kernel is the subgraph of G induced by all vertices covered by M. 
(Since there is at most one edge in M for each vertex in S and at most one edge for 
each vertex in U, there are exactly k users covered and we have a kernel containing k 
users.) 

If M does not cover every vertex of S then we define Rq,m to be the set of vertices of 
G which can be reached from s ome uncovered vertex in S by an M-alternating pathP^I 
Then a result of Szeider [2004, Lemma 3] asserts that we can compute Rq m in time 
0(\U\ + \S\ + \A\). We write Rg,m in the form U' U S' f or some U' C U and S' C S. The 
set U' U S' has the following properties I Szeid er~2004[ Lemma 3]: 
PI. All vertices of S \ S' are covered by M; 

P2. There is no edge in G from U \ U' to S' and no edge of M joins vertices in U' with 
vertices in S \ S'; 

P3 . In the subgraph G induced by U'US', vertices of a set U" C U' have at least | U" \ + 1 
neighbors in S". 

A bipartite graph G, a maximum matching M in G (indicated by the thicker lines), 
an d the sets U' and S' are shown in Figure |6j the figure is based on one used 
by lSzeider [20041 . 



u> U\U' 



S 




s' s\s' 



Fig. 6. Constructing a kernel for WSP using a maximum matching 

Hence, we can assign users to all steps that are not in S' (using M) and we will 
not violate any separation-of-duty constraints by doing so. Moreover, property (P2) 
means that allocating users in V to steps in S' will not violate any separation-of-duty 
constraints. In other words, we have reduced the problem instance to finding a solution 
to a smaller instance (the kernel) in which the set of users is U', the set of steps is S', 
and \U'\ < \S'\ ^ k. □ 

The authorization relation icSxf defines the bipartite graph used to constr uct 
the matching. The computation of a maximum matching in time 0(\A\ ■ Vn + k) = 
0(nk\Jn + k) enables us to compute a partial plan n, where an edge in the matching 
corresponds to a step s and a user u = tt(s). If the maximum matching has cardinality 
k, then we are done. Otherwise, we solve WSP for the kernel. 

When the cardinality of A is high (so the computation of the maximum matching is 
relatively slow), many users are authorized for many steps. In this case, therefore, the 



13 A matching in a bipartite graph is a set of edges that are pairwise non-adjacent. A maximum matching 
contains the largest possible number of edges. 

14 An A/-alternating path has the property that for any pair of successive edges one belongs to AI and the 
other does not. 
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observation that only those steps for which fewer than k users are authorized need to 
be considered may mean that it is easy to decide whether the instance is satisfiable. 

We now state some negative results, negative in the sense that they assert that 
certain instances of WSP do not have polynomial-size kernels. The proofs of these 
results can be found in the appendix. 

THEOREM 6.6. WSP 2 (=) does not admit a kernel with a polynomial number of 
users unless coNP C NP/poly. 

THEOREM 6.7. WSP with counting constraints of the type (2,i, S') does not admit 
a kernel with a polynomial number of users unless coNP C NP/poly. 

The above results tells us that there may be little to be gained from preprocessing 
an instance of WSP2(=) or an instance that contains arbitrary counting constraints, 
and we may simply apply the techniques described in Section[4j Our final result in this 
section proves that the existence of a polynomial kernel is unlikely when we consider 
WSP for canonical organizational hierarchies, even when we restrict attention to Type 
1 constraints and hierarchies with only three levels. 

THEOREM 6.8. The problem WSPi(=, ~, where ~ is an equivalence relation 
defined on U, does not have a polynomial kernel, unless NP C coNP/poly. 

7. CONCLUDING REMARKS 

In general terms, the results reported in this paper provide a much improved under- 
standing of the fixed parameter tractability of the workflow satisfiability problem. In 
particular, we have developed a technique — the reduction of WSP to Max Weighted 
Partition — that guarantees an instance of WSP is FPT, provided all constraints sat- 
isfy two simple criteria. This enables the designer of workflow systems to determine 
whether the satisfiability of a workflow specification is FPT by examining the con- 
straints defined in the specification. Our results in this paper achieve several specific 
things. 

— First, the use of the Max Weighted Partition problem to solve WSP allows us 
to develop a fixed-parameter algorithm for which the worst-case run-time is signifi- 
cantly better than known algorithms. 

— Second, this algorithm can be used to solve more general constraints — counting 
constraints, Type 3 entailment constraints and constraints based on equivalence 
relations — than was possible with existing methods. In short, we have extended the 
classes of workflow specifications for which the satisfiability problem is known to be 
FPT. 

— Third, we have established the circumstances under which an instance of WSP has 
a polynomial kernel. As well as providing the first results of this type for WSP, ker- 
nelization is o f enorm ous practical value. The computation of a maximum matching 
in time 0(nk\Jn + k) is an extremely useful technique for deriving a (partial) plan 
for an instance of WSP. Moreover, the reduction in the size of the problem instance 
when the maximum matching generates a partial plan will significantly reduce the 
complexity of solving instances of WSPi(=, ^=). 

— Finally, we have significantly extended our understanding of those instances of 
WSP that are FPT. Specifically, WSP is FPT for any workflow specification that 
only includes constraints that are regular and for which (in)eligibility can be deter- 
mined in time polynomial in the number of steps. In particular, we have established 
that WSP problems which include constraints based on counting constraints and 
on user equivalence classes — enabling us to model organizational structures and 
business rules defined in terms of those structures — are still FPT. 
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In short, we believe our results represent a significant step forward in our understand- 
ing of the complexity of WSP and provide the blueprints for algorithms that can find 
efficient solutions for many practical instances of WSP. 

7.1. Related Work 

Work on computing plans for workflows that must simultaneou sly satisfy authoriza - 
tion policies and constraints goes back to the seminal paper of B ertino et a l. [1999]. 
This work considered linear workflows and noted the existence of an exponential algo- 
rithm for computing valid plans. 

Crampton extended the model for workflows to partially ordered sets (equivalently , 
directed acyclic graphs) and to directed acyclic graphs with loops [Crampton 2005 1 . 
Wang and Li further extended this model to include Type 2 constraints and established 
the computational complexity and, significantly, the existence of fixed-parameter 
tractable algorithms for WSP 2 (=, ^f) [Wang an d Li 2010 1. Moreover, they established 
that WSP2 is W[l] -hard, in general. 

Recent work by Bas in et al. [20111 introduces the notion of release points to model 
certain types of workflow patterns and defines the concept of obstruction, which is 
related to the notion of unsatisfiability. They prove that the enforcement process exis- 
tence problem (EPEP), which is analogous to WSP for this extended notion of unsat- 
isfiability, is NP-hard with complexity doubly-exponential in the number of users and 
constraints. 

Independently of the work on authorization in workflo ws, there exists a vas t litera- 
ture on constraint satisfaction problems. In this context, [Fello ws et al. 20TT1l studied 
WSPi(t^) and proved that this problem is fixed-parameter tractable. 

Our work improves on that of Wang and Li and of Fellows et al. by establishing a 
tighter bound on the exponential factor of the fixed-parameter complexity for the rel- 
evant instances of WSP (Theorem 14. li t. Moreover, our work establishes that it is un- 
likely that our bound can be significantly improved (Theorem l4.2l >. We extend the type 
of constraints that can be defined by introducing counting constraints and Type 3 en- 
tailment constraints, and we have sbown that WSP remains fixed-parameter tractable 
(Theorems [376] and Ell . 

Most recently, we showed how WSP for entailment constraints could be reduced 
to Max Weighted Partition for particular constraint relations. In this paper, we 
have extended our approach to include any form of constraint that is regular and for 
which eligibility can be determined in time polynomial in the number of steps. This 
represents a significant advance as it means we need only test whether a constraint is 
regular and devise an efficient eligibility test to deploy our techniques for solving WSP. 

7.2. Future Work 

There are many opportunities for further work in this area, both on the more theo- 
retical complexity analysis and on extensions of WSP to richer forms of workflows. In 
particular, we hope to identify which security require ment s can be encoded using con- 
straints that satisfy the criteria identified in Theorem 13 .41 A very natural relationship 
between users is that of seniority: we would like to establish whether the inclusion 
of constraints based on this binary relation affects the fixed-parameter tractability of 
WSP. 

There exists a sizeable body of work on workflow patterns. Many workflows in prac- 
tice require the ability to iterate a subset of steps in a workflow, or to branch (so-called 
OR-forks and A ND-forks) and to then re turn to a single flow of execution (OR-joins 
and AND-joins) Mvan der A alst et al. 2003]. A variety of computational models and lan- 
guages have been used to represent such workflows, including Petri nets and temporal 
logic. To our knowledge, the only complexity results for richer workflow patterns are 
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those of Basin et al. described above, which can handle iterated sub-workflows. We 
will consider the fixed-parameter tractability of EPEP, and WSP for richer workflow 
patterns, in our future work. 

Wang and Li also introduced the notion of workflow resiliency. The static t-resiliency 
checking problem (SRCP) asks whether a workflow specification remains satisfiable if 
some subset of t users is absent. Clearly SRCP is NP-hard as the case t = corresponds 
to WSP. Evidently, SRCP can be resolved by considering the (") instances of WSP 

that can arise when t users are absent. Hence, SRCP is in coNP NP [Wan g and Li 2010 



Theorem 13]. The problems of deciding whet her a workflow ha s dynamic or decre- 
mental t-resilienc y are PSPACE -complete [Wang and Li 2010, Theorems 14—15]. 
Basi n et al. [2 012] study a related problem called the optimal workflow -aware autho- 
rization administration problem, which determines whether it is possible to modify the 
authorization relation, subject to some bound on the "cost" of the changes, when the 
workflow is unsatisfiable. It will be interesting, therefore, to explore whether we can 
better understand the parameterized complexity of these kinds of problems. 

A. PROOFS OF THEOREMS 

In this appe ndix , we provide proofs of Theorems I4.2L I6.6L 16.81 and 15.61 Before prov- 
ing Theorem |4.2[ we define two problems related to 3 -Sat and state two preparatory 
lemmas. 



c-Linear-3-Sat 

Input: A 3-CNF formula cp with m clauses, and n variables such that m ^ cn, 
where c is a positive integer. 
Output: Decide whether there is a truth assignment satisfying <f>. 



Let 4> be a CNF formula. A truth assignment for is a NAE -assignment if, in each 
clause, it sets at least one literal true and at least one literal false. We say <j> is NAE- 
satisftable if there is a NAE-assignment for 0. 



Not-All-Equal-3-Sat (NAE-3-Sat) 

Input: A CNF formula 4> in which every clause has exactly three literals. 
Output: Decide whether <f> is NAE-satisfiable. 



The first of our lemmas, which we state without proof, is due to Impagliazzo et 



al. | Impagliazzo et al. 2001] (see also MCrowston et al. 20 121). 



LEMMA A.l. Assuming the Exponential Time Hypothesis, there exist a positive in- 
teger L and a real number 5 > such that L-LlNEAR-3-SAT cannot be solved in time 

0(2 Sn ). 

LEMMA A.2. Assuming the Exponential Time Hypothesis, there exists a real num- 
ber e > such that NAE-3-SAT with n variables cannot be solved in time 0(2 en ), where 
n is the number of variables. 

Proof. Let L be an integer and 5 be a positive real such that L-LlNEAR-3-SAT 
cannot be solved in time 0(2 Sn ). Such constants L and 5 exist by Lemma [A. 11 Suppose 
we have a polynomial time reduction from L-LlNEAR-3-SAT to NAE-3-SAT and a 
positive integer c' such that if a formula in L-LlNEAR-3-SAT has n variables then the 
corresponding formula in NAE-3-SAT has n' variables and n' < c'n. Let e = S/c' and 
suppose that NAE-3-SAT can be solved in time 0(2 en ), where n' is the number of vari- 
ables. Then L-LlNEAR-3-SAT can be solved in time 0{2 en ') = 0(2 5n ), a contradiction 
to the definition of S. 
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It remains to describe the required polynomial time reduction from L-LlNEAR-3- 
SAT to NAE-3-SAT. Recall that for every formula in L-LlNEAR-3-SAT we have m < 
Ln, where m and n are the numbers of clauses and variables, respectively. We will 
show that our reduction gives c' < 2(1 + L). Let be a formula of L-LlNEAR-3-SAT. 
Replace every clause C — (u V v V w) in (p by 

(u V v V xc) A (w V V yc) A (x c V yc V z) (1) 

to obtain a formula tp of NAE-3-SAT. Here variables xc and are new for every 
clause C and z is a new variable but it is common for all clauses of <fi. We will show that 
4> is satisfiable if and only if tp is NAE-satisfiable. This will give us c'n < n + 2m + 1 < 
2(1 + L)n implying c' < 2(1 + L). 

Let V$ and be the sets of variables of <p and tp, respectively. Hereafter 1 stands for 
TRUE and for FALSE. 

Assume that <p is satisfiable and consider a truth assignment r : V$ — > {0, 1} that 
satisfies <p. We will extend r to such that the extended truth assignment is a NAE- 
assignment for tp. We set t(z) = 1. For each clause C = (it V v V w) of 0, we set r(y c ) = 
and t(xc) = 1 - max{T(u), t(v)}. Consider Q}. Since r(yc) = and t(z) = 1, r is a 
NAE-assignment for the third clause in Q}. Since max{r(u), t(v)} ^ r(xc), r is a NAE- 
assignment for the first clause of (Q}. Also, r is a NAE-assignment for the second clause 
of© because either t(xc) = i~(yc) = or t(u) — t(v) = and, hence, t(w) = 1. 

Now assume that tp is NAE-satisfiable and consider a NAE-assignment r : V-^ — > 
{0, 1} for Since r' : V^, — > {0, 1} is a NAE-assignment for ip if and only if so 
is r"(t) = 1 - t'(£), t € K/,, we may assume that r(z) = 1. Since r is a NAE- 
assignment for the third clause of©, we have min{r(xc), i~(yc)} = 0. If t(xc) = 
then max{T(«),T(ti)} = 1; otherwise t(xc) = 1 and r(yc) = implying that t(w) = 1. 
Therefore, either max{r(w), t(v)} = 1 or r(tw) = 1 and, thus, C is satisfied by r. □ 

Proof of Theorem I4.21 Consider a CNF formula 4>, which is an instance of NAE- 
3-SAT. Let {si, . . . , s n } be the variables of and let us denote the negation of s t by s i+n 
for each i e [n]. For example, a clause (s x V V sj) will be written as (si V s n+2 V s n+3 ). 
For j e [2n], we write Sj = 1 if we assign TRUE to Sj and Sj = 0, otherwise. 

Now we construct an instance of WSP. The set of steps is {si, . . . , Sk}, where fc = 2n, 
and there are two users, uq and ui. We will assign user u t to a step Sj if and only if s 
is assigned i in ^. For each j e [n] we set constraint s J ; s J+n ). For every clause of ^ 
with literals s^, s p , s g we set constraint s^, {s p , s 9 }). We also assume that each user 
can perform every step subject to the above constraints. 

Observe that the above instance of WSP is satisfiable if and only if cp is NAE- 
satisfiable. Thus, we have obtained a polynomial time reduction of NAE-3-SAT to 
WSP with 7^ being the only binary relation used in the workflow and with just two 
users. Now our theorem follows from Lemma [A2[ □ 

Before proving Theor em 16.61 we introduce a definition and result due to 
IBodlaender et al. [2011bl 

Definition A. 3. Let P and Q be parameterized problems. We say a polynomial time 
computable function / : E'xN^ S* x N is a polynomial parameter transformation from 
P to Q if there exists a polynomial p : N — > N such that for any (x, k) € E* x N, (x, k) € P 
if and only if f(x, k) = (x', k') e Q, and k' < p(k). 

LEMMA A.4. IBodlae nder et al. 2011bl Theorem 3] Let P and Q be parameterized 
problems, and suppose that P c and Q c are the derived classical problems (where we 
disregard the parameter). Suppose that P c is NP-complete, and Q c e NP. Suppose that 
f is a polynomial parameter transformation from P to Q. Then, ifQ has a polynomial- 
size kernel, then P has a polynomial-size kernel. 
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Proof of Theorem [6J0 We may formulate the Hitting Set problem as a prob- 
lem for bipartite graphs. We are given a bipartite graph with with partite sets U = 
{u\, . . . , u n } and V = {v±, . . . , v m } and edge set E. We are to decide whether there is a 
subset H of U with at most fc vertices such that each v eV has a neighbor in H. 

We say that two problem s are equivalent if e very yes instance of one corresponds to 



a yes instance of the other. Wang and Li [2010 Lemma 4] proved that Hitting Set is 
equivalent to the following subproblem n of WSP2(=). We have U as the set of users, 
V US as the set of k' = m+k steps, every user Uj is authorized to perform any step from 
S and every step Vi such that UjVi e E, and (=, Vi, S), i e [m], is the set of constraints 
of Type 2. 

Observe that the above construction gives a polynom ial parameter tr ansformation 
from HITTING Set parameterized by m + k to WSP 2 (=). |Dom et al. [2009] proved that 
Hitting Set parameterized by m + k does no t adm it a polynomial-size kernel unless 
coNP C NP/poly. Now we are done by Lemma |A74l □ 

PROOF OF THEOREM [6771 We will use the polynomial parameter transformation 
from Hitting Set parameterized by m + k to a subproblem n of WSP described in the 
proof of Theorem |6.61 We obtain a subproblem II* of WSP with counting constraints of 
the type (2, t, S') from n by keeping the same set U of users and the same set V U S of 
steps, but by replacing the constraints of II with (2, k + 1, SU {«<}), i G [m\. 

We now prove that II and II* are equivalent, from which the result follows by Theo- 
rem [676] 

Let tt* be a valid plan for II* and let tt be obtained from tt* by restricting it to V U S. 
Observe that if a constraint (2, fc+1, S(J{vi}) is satisfied by tt*, then (=, V{, S) is satisfied 
by tt. Thus, tt is a valid plan for II. 

Let 7r be a valid plan for II and let tt* be obtained from tt by reassigning to tt(v{) 
every step s in S such that the user tt(s) is assigned to perform just one step in V U S. 
Observe that if (=, Vi,S) is satisfied by tt, then (2, fc + 1, SU{vi}) is satisfied by tt*. Thus, 
tt* is a valid plan for II* . □ 

The following two definitions and Theorem lA.7l are due to Bodlaender et al. [20 11a[ . 

Definition A.5 (Polynomial equivalence relation). An equivalence relation 1Z on S* 
is called a polynomial equivalence relation if the following two conditions hold: 

— There is an algorithm that given two strings x, y € S* decides whether x and y 
belong to the same equivalence class in (|se| + |y|) ^ time. 

— For any finite set SCT the equivalence relation TZ partitions the elements of S 
into at most (max lE s |x|) ^^ equivalence classes. 

Definition A.6 (Cross-composition). Let L C E* be a problem and let Q C E* x N be 
a parameterized problem. We say that L cross-composes into Q if there is a polynomial 
equivalence relation TZ and an algorithm which, given t strings x\, . . . ,x t belonging 
to the same equivalence class of TZ, computes an instance (x*,k*) e E* x N in time 

polynomial in J2i=i \ X A such that: 

— (x* , k* ) e Q if and only if Xj e L for some 1 ^ i < t. 

— fc* is bounded by a polynomial in max* =1 |x*| + logt. 

THEOREM A.7. If some problem L is NP-hard under Karp reductions and L cross- 
composes into the parameterized problem Q then there is no polynomial kernel for Q 
unless NP C coNP/poly. 

Proof of Theorem |6.81 We may treat WSPi(=,^,~,of) as an instance of 
WSPi(~i,^i,~ 2 ,^2, ~3, ^3) for a canonical hierarchy with three levels, where ~i and 
oo 1 correspond to = and ^ respectively. 
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We will use Theorem IA. 71 to show the result, hence we need an NP-hard problem L 
which cross-composes into WSPi(~i, 7^1, ~2, 7^2, ~3> 7^3)- For this purpose we will use 
the problem 3-COLORING. An instance of 3-COLORING is a graph G in which we want 
to decide if it can be 3-colored. We say that two graphs G\ and G 2 are equivalent if 
|V(Gi)| = |y(G 2 )|. It is not difficult to see t hat this defines a polynomial equivalence 
relation on 3-COLORING (see Definition lA.5l >. 

Consider now t instances of 3-COLORING, Gi, G2, ■ ■ ■ , Gt. Let 

k = \V(G 1 )\ = \V(G 2 )\ = --- = \V(C t )\ and V(G l ) = {x{,x 2 , ■ ■ . ,x{}. 

We now construct an instance of WSPi(~i, 7^1, ~2, 7^2, ~3, 7^3) with steps S and users 
U denned as follows. 

S = i^iVi) \Ji <l<j<k {e it j, e[ d ) where V t = {v{, v\}] 

U = U* =1 ?7i where Ui = {c[, c|, c 3 , a 1 }. 

Observe that \S\ = k + k 2 is bounded by a polynomial in the maximum size of Gi, i£ [£]. 

We now define the hierarchy % = U^',U^,U^ S ', where is the partition of S 
containing all singletons, is the partition U\, [Tjj, • • • , U t and is the partition 
containing just one set S. We now define the constraints C as follows. 

c = {(A,«l,4)Me[fc]}u 

{(^i,«i,eij), {7 6 i,v t 2 ,e tJ ), ( 7 ^i,e lJ ,e' iJ ), (7^1, vj, e^-), tyi^e'^) | 1 i < j < k} 
U{(~2,Sl,S2) I si,s 2 G 5} 

We now let all users, except a 1 , a 2 , . . . , a', be authorized for all steps. Furthermore 

if xfxj £ E(G a ), where 1 ^ i < j ^ k then authorize a a for aj. 

Claim A. The created instance has a valid plan if and only if on e of the graphs, 
G\, G 2 , ■ ■ ■ , G t are 3-colorable. The result now follows by Theorem lA.7i 

Proof of Claim A. Assume that the created instance has a valid plan. The constraints 
{(~2> s 1j s 2) I si,s 2 G S} imply that all users used in the plan belong to exactly one block 
in U( 2 \ say U r . Let jj G {1,2, 3} be denned such that the users assigned to v{ and v 2 are 
{c[, c 2 , C3} \ {c^.}, which is possible as (7^1, v{, v 3 2 ) G C and {c{ 7 c 2 ,cl} are the only users 

from U r authorized for {v{,v 2 }. If x$Xj G E(G r ) then e,,j must be assigned user cL and 
e-j must be assigned user c^., which implies that 7.; ^ 7,-, by the given constraints. 
Therefore 71,72, ... ,7k is a 3-coloring of G r . This shows one direction of Claim A. 

Now assume we have a 3-coloring 71,72, ••• ,7fe of G r , for some r G [*]. Assign users 
{c\, c 2 , C3} \ {c 7j } to the steps v{ and and for all e 4J assign user c^. if xjxj G E(G r ) 
or user a r if x^Xj ^ E(G r ). Finally assign user dj to all steps e£ .. Note that the given 
assignment of users satisfies all constraints, which completes the proof of the claim. □ 

PROOF OF THEOREM I5.61 Th e result follows from a very similar argument to that 
used in the proof of Theorem |5.4j Notice that our method for identifying ineligible sets 
for Type 2 constraints of the form (7^, s, S') works equally well for Type 3 constraints 
of the form (7^, 6*1,52) (since a set F is ineligible if S\ U S 2 C F). 

However, we cannot use our method for constraints in C^. Nevertheless, we can 
rewrite the set of constraints in C^ as Type 2 constraints, at the cost of introducing 
additional workflow steps (as we did in the proof of Theorem I4.3H . This requires the 
replacement of d Type 3 constraints by 2c' Type 2 constraints and the creation of d 
new steps. Finally, we solve the resulting instance of WSP 2 for a workflow with n users, 
k + d steps and c + 2d constraints, which has complexity 0((c + 2d)n2 k+c + i2 2 3 k+c ), 
by Theorem |5.4| and Remark |5.51 
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We may assume without loss of generality that for all constraints of the form 
Si, 6*2) in C^, S\ n S 2 =0. (The constraint is trivially satisfied if there exists s e 
Si r\S2, since we assume there exists at least one authorized user for every step.) Hence 
the number of constraints having this form is no greater than Y^lj=i { > j)^ k ~^ = 3 fe - □ 
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